I am attempting to import a Certificate into the Current User -> Personal store using the command line: "importpfx -f [certificate name.p12] -p [password] -t USER -s Personal".
It works, but for reasons I don't understand there are now two Personal stores under the Current User, and the imported certificate is in the new Personal store.
When I try to connect to the website of [a well-known money transfer service], it fails. However, if I manually import the certificate using MMC into the original Personal store, it works.
My question is: How can I force IMPORTPFX to import the certificate into the original Personal store, and how can I delete the new Personal store?
Context:
I need to do a silent import of certificates on 3000+ remote point-of-sale Windows XP devices, so it needs to be a silent install via PSEXEC (SysInternals).
Thank you. Pieter.
“Personal” is a just friendly name of the certificate store which is internally identified as My. You need to use
importpfx -f [certificate name.p12] -p [password] -t USER -s My
Related
I'm now setting up libreswan server - client.
Basically, I'm trying to follow a procedure described here.
https://kifarunix.com/setup-ipsec-vpn-server-with-libreswan-on-centos-8/
I created client certificate which is aaa.bbb.p12 from the server machine using pk12util command.
And copied to client machine and import using ipsec import aaa.bbb.p12
ipsec import aaa.bbb.p12 was successful.
But I don't know where this file stored when ipsec import command was executed.
Is there any way I can browse this certificate file using a certain command?
I found something but not perfect.
I copied aaa.bbb.p12 and used ipsec command like below.
# ipsec import ./aaa.bbb.p12 --nssdir /etc/ipsec.d/certsdb
Then, I can see the certificate using the command below.
# certutil -L -d sql:/etc/ipsec.d/certsdb
But I still have one more problem.
If I import one more certificate file such as aaa.ccc.p12.
Then, it is imported but it does not display certificate's name.
Even though I imported aaa.bbb.p12 and aaa.ccc.p12 but the command below shows only aaa.bbb twice.
# certutil -L -d sql:/etc/ipsec.d/certsdb
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
aaa.bbb u,u,u
aaa.bbb u,u,u
everyone.
I hope that someone can help to answer my question.
I am joining a project in which I have to use various docker containers. I was told that I just needed to use docker-compose to pull down all the necessary containers. I tried this, and got two different errors, based on whether I used sudo or not. My machine is Ubuntu bionic beaver 18.04.4LTS
I have docker-engine installed according to the installation instructions for Bionic on the github page, and docker-compose is likewise installed according to its instructions. I did not create a "docker" group since I have sudo access.
We have two repos that I have to log in to before I can do anything. In order to prevent my passwords from being stored unencrypted in config.json, I followed this guide to set up a secure credential store:
https://www.techrepublic.com/article/how-to-setup-secure-credential-storage-for-docker/
However, rather than asking me for the password and/or passphrase mentioned in this article, the login process makes me enter the actual passwords to the repos. So, the secure credential store may not be working, which might be causing the problem.
At any rate, once I log in and the two commands show login succeeded, I then try to do a
docker-compose pull
on the repos. When I do
sudo docker-compose pull
I get this final error:
docker.errors.DockerException: Credentials store error: StoreError('Credentials store docker-credential-pass exited with "exit status 2: gpg: WARNING: unsafe ownership on homedir '/home/myuser/.gnupg'\ngpg: decryption failed: No secret key".')
an ls of the .gnupg directory is
myuser#myhost$ ls -lA ~ | grep gnupg
drwx------ 4 myuser myuser 226 Feb 9 13:35 .gnupg
gpg --list-secret-keys shows my keypair when I run it as myuser.
I am assuming that what is happening is that because I am running as sudo the user trying to access this directory is root, not myuser, and so it is failing. However, if I leave off the sudo
docker-compose pull
docker.errors.DockerException: Error while fetching server API version: ('Connection aborted.', PermissionError(13, 'Permission denied'))
I am guessing that this is because my normal user doesn't have the ability to connect to the docker daemon's Unix socket.
So, how do I make these play together? Is the answer to add a docker group so that the command still runs as myuser and not as root? or is there another way to do this?
Also, why is my credential store not asking me for the password set by docker-credential-pass or the GPG passphrase? I suspect these two are related. Perhaps the pull is trying to send my authentication tokens over again and can't because it doesn't have access to the secure credentials store.
All of the above are guesses. Does anyone know what is going on here?
Thanking you in advance,
Brad
I just wanted to follow up with a solution to this question that worked for me.
Firstly, you need to add your user to the docker group that was created during docker-engine's installation.
sudo usermod --append --groups docker your_user_name
Because I had already used sudo to try this, there were a few files that ended up being created by root.
So, you have to chown a few things.
sudo chown your_user_name:your_group_name ~/.docker/config.json
Note that for the group name I used
docker
but I'm not sure if that's necessary.
Then, there were files inside the ~/.password-store directory that needed to be changed.
sudo chown -R your_user_name:your_group_name ~/.password-store
Most of these files are already owned by you, but the recorded credentials are not.
Then, the magic that fixed it all. From
https://ask.csdn.net/questions/5153956
you have to do this.
export GPG_TTY=$(tty)
and it is this last that makes gpg work.
Then, you can log in to your repos if you have to without using sudo
docker login -u repo_user_name your_repo_host
and then log in with your repo password.
Note that I don't know why you have to use the repo password instead of using the stored credentials.
Once you log in, you should be able to do a
docker-compose pull
without sudo
from the directory where you want the containers to be placed.
Note that you will probably have to provide your GPG passphrase at first. I'm not sure about this because I had already unlocked the key by following the steps in the above link to check to see if docker-credential-pass had the right credential store password stored.
and that should do it.
Summary:
As I'm integrating CI to the development workflow, I'm also trying to move the executions of Bitrise workflows to our local iOS Mac Computer which is setup as a Jenkins slave.
The projects that I'm trying to build therefore needs to be built on this iOS Computer.
Problem:
I'm trying to establish an ssh connection to an integration user (a GitHub account that has access to my repositories) and I have created a key and added it to the GitHub user as well as to the .bitrise.secrets.yml file.
But when the initial step, the activate-ssh-key step is executed, it results with an error that I can't add the SSH key to the ssh-agent with empty passphrase. (Is this somehow configurable? Can I just evade this?)
Here is the output log:
https://pastebin.com/FCHhZNDb
Step in bitrise.yml:
- activate-ssh-key#4.0.2: {getenv "SSH_RSA_PRIVATE_KEY"}
.bitrise.secrets.yml:
envs:
- SSH_RSA_PRIVATE_KEY: ssh-rsa *KEY*
|------------------------------------|
I have also tried putting the ssh key directly in the .ssh directory which did not work.
Any help is really appreciated! :)
TL;DR
Trying to connect bitrise cli with github via ssh, doesn't work.
The SSH key you used seem to be protected with a passphrase. You should generate one that does not require a passphrase to be specified, and register that for the repository.
How to generate such an SSH key: https://devcenter.bitrise.io/faq/how-to-generate-ssh-keypair/
ssh-keygen -t rsa -b 4096 -P '' -f ./bitrise-ssh -m PEM
Alternatively you can replace the Activate SSH Key step with a script one and activate the SSH key any way you like.
Or if you prefer to not to use SSH keys you could switch to using https:// git clone urls (instead of the SSH / git# one) and replace the Activate SSH Key step with the Authenticate with GitHub OAuth one (https://www.bitrise.io/integrations/steps/authenticate-with-github-oauth).
The below command adds a certificate to trusted root:
certutil.exe -addstore -f "root" "wienticket.cer"
But this seems to add the certificate only for the current user. What changes do I need to make to install it for all users ?
I read this from a posting in the Windows SysInternals forum.
The HKCU - hive key current user - will point to that user's hive key who authenticated on the remote machine with the help of psexec. It will not point to the user's hive key who has logged on interactively to the machine's desktop, unless both accounts happen to be identical.
I am facing the same problem with trying to push the signer and cert associated with a self signed certificate to the HKEY_CURRENT_USER/Software/Microsoft/SystemCertificates/Root/Certificates folder in the Windows registry for the user signed onto the remote machine.
If the userid and password used with PsExec are the same as the user currently logged onto the remote machine everything works fine. The PKCU registry entries get added as expected.
Since we can't ask each end-user for their AD password I am trying to sort out how I can get this to work when both accounts aren't identical. I have a Windows service account that has admin rights on all the PCs in the domain I am trying to push the cert and signer out to. If I use that account with psexec the registry entries do not get added for the user logged onto the remote PC.
Is there any way I can I write to HKEY_CURRENT_USER using psexec when both accounts aren't identical? That is, when the account used with the psexec command is not the account that is currently logged onto the remote PC.
example:
User remoteuser is logged onto the remote PC on which we want to install the cert entry into the HKCU hive but we use a different user/account with psexec. We do this because we don't know the AD passwords for all the remote users we want to update the HKCU hive for.
That would be a serious security issue.
In this example we use the psexecuser account to start the psexec service on the remote PC that the AD user remoteuser is logged onto.
C:\psexec #C:\remoteUserPCList.txt -u ourdomain\psexecuser -p psececuserpassword -d -c -f C:\InstallSSLCertinHKCU.bat
The HKCU registry entries do not get added for the remoteuser account on the remote PC.
Any fixes that would work with psexec would be a great help. I suspect we could use AD GPO but I am hopeful that there is some trick out there that can be used with PsExec.
regards
psexec can't impersonate the logged-on user. But you don't need to push a self-signed certificate to the user's profile on the remote machine, you can push it to the computer account instead, and you can even do that with group policy.